[go: up one dir, main page]

CN104184717A - Virtual host safety protection system design - Google Patents

Virtual host safety protection system design Download PDF

Info

Publication number
CN104184717A
CN104184717A CN201410057063.0A CN201410057063A CN104184717A CN 104184717 A CN104184717 A CN 104184717A CN 201410057063 A CN201410057063 A CN 201410057063A CN 104184717 A CN104184717 A CN 104184717A
Authority
CN
China
Prior art keywords
security
configuration
information
host computer
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410057063.0A
Other languages
Chinese (zh)
Inventor
王茜
史晨昱
张磊
魏巍
朱志祥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xi'an Following International Information Ltd Co
Xian University of Posts and Telecommunications
Original Assignee
Xi'an Following International Information Ltd Co
Xian University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xi'an Following International Information Ltd Co, Xian University of Posts and Telecommunications filed Critical Xi'an Following International Information Ltd Co
Priority to CN201410057063.0A priority Critical patent/CN104184717A/en
Publication of CN104184717A publication Critical patent/CN104184717A/en
Pending legal-status Critical Current

Links

Landscapes

  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a virtual host safety protection system. The technical scheme is that the virtual host safety protection system deploys safety nodes in each cabinet at a cloud computing center by adopting distributed deployment manner, wherein the safety nodes are deployed through a transparent mode. A safety protection assembly runs in the safety node. All the safety nodes are subjected to unified management and control through a virtual host protection management center. The beneficial effects are that all virtual machines in the cloud computing data center are provided with modularized, customized, dynamic and automatic safety protection scheme through the system.

Description

一种虚拟主机安全防护系统的设计Design of a virtual host security protection system

技术领域 technical field

本发明专利涉及一种虚拟主机安全防护系统。 The patent of the present invention relates to a virtual host security protection system.

背景技术 Background technique

云计算是信息技术领域的一次变革,是信息技术发展的必然趋势和信息技术深度应用的必然结果,也必然对信息安全保障产生重大影响。 Cloud computing is a revolution in the field of information technology, an inevitable trend of the development of information technology and the inevitable result of the deep application of information technology, and it will inevitably have a major impact on information security.

在电子通讯时代,为了实现通讯保密,信息安全技术的主要研究内容以密码技术为主。进入计算机时代后,信息安全的理念有了新变化,主机安全成为信息安全的主要研究目标,以安全模型分析与验证为理论基础,以信息安全产品为主要构件,以安全域建设为主要目标的安全防护体系思想逐渐成为主流。 In the era of electronic communication, in order to realize the confidentiality of communication, the main research content of information security technology is based on cryptography. After entering the computer age, the concept of information security has undergone new changes. Host security has become the main research goal of information security. Based on security model analysis and verification, information security products are the main components, and security domain construction is the main goal. The idea of security protection system has gradually become the mainstream.

在云计算时代,计算资源、存储资源、数据资源等高度共享,使其成为真正的基础资源,从而使得普通用户能够享用更高端的IT服务。云计算这一创新模式,也给信息安全带来了挑战和机遇,我们急需实现云计算环境下的数据安全与隐私保护,实现多租户环境的安全计算,实现涉及关键技术、标准、法规建设、国家监督管理制度等多层次、全方位的变革. In the era of cloud computing, computing resources, storage resources, data resources, etc. are highly shared, making them real basic resources, so that ordinary users can enjoy higher-end IT services. The innovative model of cloud computing also brings challenges and opportunities to information security. We urgently need to realize data security and privacy protection in the cloud computing environment, realize secure computing in a multi-tenant environment, and realize key technologies, standards, regulations construction, Multi-level and all-round reform of the national supervision and management system.

在传统网络安全模式下,对网络计算环境进行安全需要使用各种硬件设备一层一层进行防护,但各个安全设备之间缺乏协同防护及统一管理,并且在现今云计算数据中心环境下,安全防护的颗粒度越来越细,不同的虚拟机设备所承载的业务需求不同,所需的安全防护级别以及要求也不尽相同,这对安全管理水平提出了较高的要求。 In the traditional network security mode, the security of the network computing environment needs to be protected layer by layer with various hardware devices, but there is a lack of coordinated protection and unified management among various security devices, and in today's cloud computing data center environment, security The granularity of protection is getting finer and finer. Different virtual machine devices carry different business requirements, and the required security protection levels and requirements are also different. This puts forward higher requirements for security management levels.

根据云计算数据中心的特点,本文提出的虚拟主机安全防护方案变革了传统网络安全防护手段,解决了云计算环境下虚拟化和多租户所产生的安全问题。以一体化机柜为基本单元,一体化机柜既是云平台部署和运维管理的基本单元,也是安全防护的基本单元,同一机柜中的主机属于同一安全域;以组件化的形式提供安全设备,可以根据需求不断扩展新的安全组件;以安全组件为基础建立安全措施库,根据不同的安全需求类型,定制不同的安全措施模板;引入Secaas(Security-as-a-service)“安全即服务”,使不同的租户专享个性化的安全服务;针对云平台下的安全性需求,设计开发加解密引擎、密钥管理等安全组件。 According to the characteristics of the cloud computing data center, the virtual host security protection scheme proposed in this paper changes the traditional network security protection methods and solves the security problems caused by virtualization and multi-tenancy in the cloud computing environment. Taking the integrated cabinet as the basic unit, the integrated cabinet is not only the basic unit of cloud platform deployment and operation and maintenance management, but also the basic unit of security protection. The hosts in the same cabinet belong to the same security domain; security devices are provided in the form of components, which can Continuously expand new security components according to requirements; build a security measure library based on security components, customize different security measure templates according to different types of security requirements; introduce Secaas (Security-as-a-service) "Security as a Service", Allow different tenants to enjoy personalized security services; design and develop encryption and decryption engines, key management and other security components to meet the security requirements under the cloud platform.

发明内容 Contents of the invention

为了克服现有云计算数据中心无法对云计算数据中心内众多具有特定功能的虚拟机群组进行有针对性的安全防护的问题,本发明提出一种虚拟机主机安全防护系统的设计,从而提高云计算数据中心整体安全水平。本发明采用分布式、多组件、多实例方式为云计算数据中心所有虚拟机提供组件化、定制化、动态化、自动化的安全防护方案。 In order to overcome the problem that the existing cloud computing data center cannot provide targeted security protection for many virtual machine groups with specific functions in the cloud computing data center, the present invention proposes a design of a virtual machine host security protection system, thereby improving The overall security level of the cloud computing data center. The present invention adopts a distributed, multi-component, and multi-instance manner to provide a componentized, customized, dynamic, and automated security protection scheme for all virtual machines in a cloud computing data center.

本发明的技术方案主要针对云计算数据中心的特点,虚拟主机安全防护系统以“安全即服务”为出发点,以虚拟机为核心,以虚拟机群为单位,采用分布式的部署方式,在云计算中心的每个机柜中以透明模式部署安全节点,安全节点之间互不影响,单独工作,所有的安全节点由虚拟主机防护管理中心进行统一管理。 The technical solution of the present invention is mainly aimed at the characteristics of the cloud computing data center. The virtual host security protection system takes "safety as a service" as the starting point, takes the virtual machine as the core, takes the virtual machine group as the unit, and adopts a distributed deployment method. Security nodes are deployed in transparent mode in each cabinet of the center. The security nodes do not affect each other and work independently. All security nodes are managed by the virtual host protection management center.

云计算环境中虚拟主机的用户通过网络通信与虚拟主机交互,虚拟主机所承载的业务功能也是通过网络通信对外提供的,所以网络通信就成虚拟主机与外界交互的主要通道,做好虚拟主机网络通信的防护就能在很大程度上保证虚拟主机的安全。 In the cloud computing environment, the users of the virtual host interact with the virtual host through network communication, and the business functions carried by the virtual host are also provided externally through network communication, so network communication becomes the main channel for the virtual host to interact with the outside world. Communication protection can guarantee the security of virtual hosts to a large extent.

安全节点由统一安全网关、统一配置管理功能、安全防护组件等核心功能模块构成,如图2所示,具体介绍如下: The security node is composed of core functional modules such as unified security gateway, unified configuration management function, and security protection components, as shown in Figure 2. The details are as follows:

1.  统一安全网关功能模块 1. Unified security gateway function module

进一步的,上述的统一安全网关,主要功能是对网络数据包进行解析并且过滤。 Furthermore, the main function of the above-mentioned unified security gateway is to analyze and filter network data packets.

该网关模块主要由网络服务、日志服务、数据存储服务、用户认证服务、网络流量管理服务五大部分组成,如图3所示。网关可以通过统一配置管理里面的网络配置来设置系统运行的网络信息,所述的网络信息包括网卡信息、主机名和动态域名客户端配置、DHCP动态主机配置协议、DNS域名解析。同时可以通过统一配置管理子系统的各项配置来根据事件类型或者是网络事件类型来查看事件日志信息。客户端访问系统的时候需要有证书认证,否则相关的功能的是无法看到的或者登录的时候总是报证书错误信息。用户设置的策略信息和添加的各项应用信息都会存储在postgreSQL数据库里面。 The gateway module is mainly composed of five parts: network service, log service, data storage service, user authentication service, and network traffic management service, as shown in Figure 3. The gateway can set the network information of the system operation through the network configuration in the unified configuration management. The network information includes network card information, host name and dynamic domain name client configuration, DHCP dynamic host configuration protocol, and DNS domain name resolution. At the same time, the event log information can be viewed according to the event type or network event type through the unified configuration of various configurations of the management subsystem. When the client accesses the system, certificate authentication is required, otherwise the relevant functions cannot be seen or a certificate error message is always reported when logging in. The policy information set by the user and various application information added will be stored in the postgreSQL database.

统一安全网关的业务流程如图4所示,统一安全网关主要是对网络数据包进行过滤,在过滤过程中必须是有两个网卡才可以完成的,网络数据包由第一个网卡eth0流入,通过各个组件释放出来的与统一安全网关对接的接口和各个组件进行规则匹配,在组件里面匹配完成之后,将通过的网络数据包以一种方式进行标注、不通过的(也可以叫做是有威胁的数据包)又以另一种方式进行标注,然后在组件里面标注完成之后,数据包又会从组件里面流出来进入统一安全网关,统一安全网关按照两种不同的标识来对数据包进行舍弃和保留操作,将没有威胁的数据包进行下一步的操作,经过eth1网卡流出。 The business process of the unified security gateway is shown in Figure 4. The unified security gateway mainly filters network data packets. The filtering process must be completed with two network cards. The network data packets flow in from the first network card eth0. The interface released by each component and connected to the unified security gateway is matched with each component. After the matching is completed in the component, the network data packets that pass are marked in one way, and those that do not pass (also called threatening) The data packet) is marked in another way, and then after the marking is completed in the component, the data packet will flow out of the component and enter the unified security gateway. The unified security gateway discards the data packet according to two different identifications And reserve operation, carry out the next operation on the non-threatening data packets, and flow out through the eth1 network card.

进一步的,上述的统一安全网关中的网络数据包捕获机制,主要包含三个部分:一是针对特定操作系统的包捕获机制,二是针对用户程序的接口,三是包过滤机制。 Further, the above-mentioned network data packet capture mechanism in the unified security gateway mainly includes three parts: one is a packet capture mechanism for a specific operating system, the other is an interface for user programs, and the third is a packet filtering mechanism.

数据包常规的传输路径依次为网卡、设备驱动层、数据链路层、IP 层、传输层、最后到达应用程序。而包捕获机制是在数据链路层增加一个旁路处理,对发送和接收到的数据包做过滤/缓冲等相关处理,最后直接传递到应用程序。值得注意的是,包捕获机制并不影响操作系统对数据包的网络栈处理。对用户程序而言,包捕获机制提供了一个统一的接口,使用户程序只需要简单的调用若干函数就能获得所期望的数据包。这样一来,针对特定操作系统的捕获机制对用户透明,使用户程序有比较好的可移植性。网络数据包的主要功能体现在以下几个方面: The conventional transmission path of the data packet is the network card, the device driver layer, the data link layer, the IP layer, the transport layer, and finally reaches the application program. The packet capture mechanism is to add a bypass process at the data link layer, perform filtering/buffering and other related processing on the sent and received data packets, and finally pass them directly to the application program. It is worth noting that the packet capture mechanism does not affect the network stack processing of packets by the operating system. For the user program, the packet capture mechanism provides a unified interface, so that the user program can obtain the desired data packets simply by calling several functions. In this way, the capture mechanism for a specific operating system is transparent to the user, so that the user program has better portability. The main functions of network packets are reflected in the following aspects:

a)  使用IO控制命令设置网卡,并将链路层所以数据包拷贝至缓冲区。 a) Use the IO control command to set the network card, and copy all the data packets in the link layer to the buffer.

b)  使用Linux下高性能网络I/O,提高网络间通信的性能。 b) Use high-performance network I/O under Linux to improve the performance of communication between networks.

c)  针对高性能网络I/O接收到的event事件,根据event注册的处理模块,分别进行相应处理,将接收到的数据包根据其协议进行重新封装,方便数据包过滤使用。 c) For the events received by high-performance network I/O, according to the processing modules registered in the event, corresponding processing is performed respectively, and the received data packets are re-encapsulated according to their protocols to facilitate the use of data packet filtering.

进一步的,上述的数据包过滤是对所捕获到的数据包根据用户的要求进行筛选,最终只把满足过滤条件的数据包传递给用户程序。 Further, the above-mentioned data packet filtering is to filter the captured data packets according to the user's requirements, and finally only pass the data packets satisfying the filtering conditions to the user program.

数据包过滤技术是防火墙最基本的实现技术,具有包过滤技术的装置是用来控制内、外网数据流入和流出,包过滤技术大部分是基于TCP/IP协议,对数据流的每个包进行检查,根据数据报的源地址、目的地址、TCP和IP的端口号,以及TCP的其他状态来确定是否允许数据包通过。数据包过滤主要是以下几个方面: Packet filtering technology is the most basic implementation technology of firewalls. Devices with packet filtering technology are used to control the inflow and outflow of internal and external network data. Most of the packet filtering technologies are based on the TCP/IP protocol. Check to determine whether to allow the data packet to pass according to the source address and destination address of the datagram, the port numbers of TCP and IP, and other states of TCP. Packet filtering mainly includes the following aspects:

通过Epoll高性能网络IO监听,采集网络中所有数据包,将所有数据包根据其包头信息做相应处理。 Through Epoll high-performance network IO monitoring, all data packets in the network are collected, and all data packets are processed according to their header information.

a)   解析旁路监听接收的数据包,分别按照tcp,udp,icmp进行分析处理。 a) Analyze the data packets received by the bypass monitor, and analyze and process them according to tcp, udp, and icmp respectively.

b)   解析的数据包与数据包过滤条件进行匹配,然后根据过滤条件设置数据包的处理标志,操作系统内核根据处理标志对数据包进行处理。 b) The parsed data packet is matched with the data packet filter condition, and then the processing flag of the data packet is set according to the filter condition, and the operating system kernel processes the data packet according to the processing flag.

2.  统一配置管理功能模块 2. Unified configuration management function module

进一步的,上述的统一配置管理功能模块主要由网络配置、管理配置、系统配置、本地目录配置和系统信息配置组成,如图5所示。 Further, the above-mentioned unified configuration management function module is mainly composed of network configuration, management configuration, system configuration, local directory configuration and system information configuration, as shown in FIG. 5 .

网络配置里面可以设置系统运行的网络信息(网卡信息、网络常见问题的解决方案);管理配置里面可以添加管理员帐号信息,开启外部访问系统的选项,设置外部访问系统的公共地址,根据用户输入的证书信息,生成一个自签的证书,可以启用或者是禁用简单网络管理协议(SNMP)监视,用户可以根据自己的喜好更改系统的皮肤信息,也可以自己上传自己喜欢的.zip格式的皮肤信息;系统配置里面可以设置手动重启或者是手动关闭服务器、设置安装向导,可以备份和恢复系统的个别信息,可以设置系统的协议信息超文本传输协议(HTTP)、文件传输协议(FTP)、简单邮件传输协议(SMTP)、邮件协议(POP3)、互联网消息访问协议(IMAP),局域配置里面可以查看系统所在服务器的当前时间、设置时区和登录系统的语言信息,用户也可以根据自己的喜好上传新的.zip格式的语言包、可以强制更新系统服务器的时间,使得与其当前时间相同。本地目录配置可以添加登录VPN的用户信息,也可以对添加的vpn用户信息进行编辑(包括删除和修改用户信息)。系统信息配置里面可以查看系统的当前版本信息、许可证信息和许可证协议信息。 In the network configuration, you can set the network information of the system running (network card information, solutions to common network problems); in the management configuration, you can add administrator account information, enable the option of external access to the system, and set the public address of the external access system, according to user input Certificate information, generate a self-signed certificate, you can enable or disable Simple Network Management Protocol (SNMP) monitoring, users can change the skin information of the system according to their preferences, or upload their favorite skin information in .zip format ;In the system configuration, you can set manual restart or manually shut down the server, set up the installation wizard, you can backup and restore individual information of the system, and you can set the protocol information of the system hypertext transfer protocol (HTTP), file transfer protocol (FTP), simple mail Transmission protocol (SMTP), mail protocol (POP3), Internet message access protocol (IMAP), in the local area configuration, you can view the current time of the server where the system is located, set the time zone and log in the language information of the system, users can also upload according to their own preferences The new language pack in .zip format can be forced to update the time of the system server so that it is the same as the current time. The local directory configuration can add user information for logging in to the VPN, and can also edit the added vpn user information (including deleting and modifying user information). In the system information configuration, you can view the current version information, license information and license agreement information of the system.

3.  安全防护组件 3. Safety protection components

进一步的,上述的安全防护组件包括防火墙组件、入侵检测组件、入侵防御组件、病毒威胁组件、拒绝服务防御组件,如图6所示。 Further, the aforementioned security protection components include a firewall component, an intrusion detection component, an intrusion prevention component, a virus threat component, and a denial of service defense component, as shown in FIG. 6 .

进一步的,上述的防火墙组件里面可添加需要过滤的防火墙规则,也可以对添加的规则信息进行编辑(删除和修改规则信息)也可以把添加好的规则信息进行批量的导入和导出操作,也可以事件类型(所有活动的事件和封锁的事件类型)、(默认机架和所有机架两种)来查看事件日志信息。 Further, firewall rules that need to be filtered can be added in the above-mentioned firewall component, and the added rule information can also be edited (delete and modify the rule information), and the added rule information can also be imported and exported in batches, or Event type (all active events and blocked event types), (both default rack and all racks) to view event log information.

进一步的,上述的入侵防御组件里面可以查看入侵防御组件的状态信息、可以添加入侵防御组件需要过滤的规则信息(包括规则和相关的规则变量)可以对添加的规则信息和规则对应的变量信息进行编辑操作(包括修改和删除操作),同时也可以将添加的批量规则信息和规则对应的变量信息进行导出和导入操作,可以根据事件类型(所有活动的事件和阻止的事件)、(默认机架和所有机架)来查看事件日志信息。 Further, the status information of the intrusion prevention component can be viewed in the above-mentioned intrusion prevention component, and the rule information (including rules and related rule variables) that needs to be filtered by the intrusion prevention component can be added. The added rule information and the variable information corresponding to the rule can be added. Editing operations (including modifying and deleting operations), and the added batch rule information and the variable information corresponding to the rules can also be exported and imported. According to the event type (all active events and blocked events), (the default rack and all racks) to view event log information.

进一步的,上述的病毒威胁组件里面可以设置需要过滤的互联网信息(包括文件的扩展名和MIME类型),也可以对需要过滤的文件扩展名和MIME类型的相关信息进行添加和编辑操作(修改文件扩展名和MIME类型信息和删除文件扩展名和MIME类型信息),可以设置需要过滤的电子邮件信息,这个可以启用和禁用扫描电子邮件的一些协议信息(smtp简单邮件传输协议、pop3、imap互联网消息访问协议),可以设置ftp信息,可以通过web事件类型(受感染的web事件类型、清洁web事件类型)来查看web事件日志,通过电子邮件事件类型(受感染的电子邮件事件和清洁的电子邮件)来查看电子邮件日志信息。 Further, in the above-mentioned virus threat component, the Internet information (comprising file extension and MIME type) that needs to be filtered can be set, and the related information of the file extension that needs to be filtered and the MIME type can also be added and edited (modify file extension and MIME type). MIME type information and delete file extension and MIME type information), you can set the email information that needs to be filtered, this can enable and disable scanning email protocol information (smtp simple mail transfer protocol, pop3, imap Internet message access protocol), You can set ftp information, view web event logs by web event type (infected web event type, clean web event type), and view email event types by email event type (infected email event and clean email) Mail log information.

进一步的,上述的拒绝服务防御组件是其他各个组件查看事件日志的必要条件,只有在安装了拒绝服务防御组件之后,才可以在其他的组件里面来查看相关的事件日志信息。用户可以在拒绝服务防御组件里面查看报告的状态信息,可以设置报告生成的时间(每周、每天)还可以设置报告生成的预时间,可以添加查看报告用户的电子邮件信息和添加附件的附件大小限制信息,还可以设置查看的日志信息(启用和禁用syslog)。 Further, the above-mentioned denial-of-service defense component is a necessary condition for other components to view event logs. Only after the denial-of-service defense component is installed, can you view related event log information in other components. Users can view the status information of the report in the denial of service defense component, and can set the report generation time (weekly, daily) and the pre-time of report generation, and can add the email information of the user who views the report and the attachment size of the attachment Restrict information, and also set the log information to be viewed (enable and disable syslog).

本发明的有益效果是:通过本系统对云计算数据中心所有虚拟机提供组件化、定制化、动态化、自动化的安全防护方案。 The beneficial effects of the present invention are: the system provides a componentized, customized, dynamic and automatic security protection scheme for all virtual machines in the cloud computing data center.

附图说明 Description of drawings

图1:为虚拟主机防护系统结构图。 Figure 1: It is a structural diagram of the virtual host protection system.

图2:为虚拟主机防护安全防护节点结构图。 Figure 2: Structural diagram of security protection nodes for virtual host protection.

图3:为统一安全网关结构图。 Figure 3: Structural diagram of the unified security gateway.

图4:为统一安全网关业务处理流程图。 Figure 4: Flowchart for the business processing of the unified security gateway.

图5:为统一配置管理结构图。 Figure 5: A structural diagram of unified configuration management.

图6:为安全防护组件结构图。 Figure 6: Structural diagram of the safety protection components.

具体实施例(根据发明内容撰写,可以进一步补充关于发明内容的实施方案) Specific examples (written according to the content of the invention, the implementation of the content of the invention can be further supplemented)

结合附图以及实施例,对本发明进行进一步的阐述。 The present invention will be further described in conjunction with the drawings and embodiments.

本发明主要由统一安全网关、统一配置管理功能、安全防护组件等核心功能模块构成,如图2所示,具体介绍如下: The present invention is mainly composed of core functional modules such as a unified security gateway, a unified configuration management function, and a security protection component, as shown in Figure 2, and the specific introduction is as follows:

具体来说,结合附图4,对上述的统一安全网关模块的流程步骤,进行详细描述,如下: Specifically, with reference to accompanying drawing 4, the process steps of the above-mentioned unified security gateway module are described in detail as follows:

统一安全网关主要是对网络数据包进行过滤,在过滤过程中必须是有两个网卡才可以完成的,网络数据包由第一个网卡eth0流入,通过各个组件释放出来的与统一安全网关对接的接口和各个组件进行规则匹配,在组件里面匹配完成之后,将通过的网络数据包以一种方式进行标注、不通过的(也可以叫做是有威胁的数据包)又以另一种方式进行标注,然后在组件里面标注完成之后,数据包又会从组件里面流出来进入统一安全网关,统一安全网关按照两种不同的标识来对数据包进行舍弃和保留操作,将没有威胁的数据包进行下一步的操作,经过eth1网卡流出。 The unified security gateway mainly filters the network data packets. In the filtering process, there must be two network cards to complete. The network data packets flow in from the first network card eth0, and are released by each component to connect with the unified security gateway. The interface and each component perform rule matching. After the matching is completed in the component, the passing network data packets are marked in one way, and the non-passing (also called threatening data packets) are marked in another way. , and then after marking in the component, the data packet will flow out from the component and enter the unified security gateway. The unified security gateway discards and retains the data packet according to two different identifications, and downloads the non-threatening data packet One-step operation, outflow through the eth1 network card.

具体来说,上述的统一配置管理功能模块,其具体的操作步骤如下: Specifically, the above-mentioned unified configuration management function module, its specific operation steps are as follows:

网络配置里面可以设置系统运行的网络信息(网卡信息、网络常见问题的解决方案);管理配置里面可以添加管理员帐号信息,开启外部访问系统的选项,设置外部访问系统的公共地址,根据用户输入的证书信息,生成一个自签的证书,可以启用或者是禁用简单网络管理协议(SNMP)监视,用户可以根据自己的喜好更改系统的皮肤信息,也可以自己上传自己喜欢的.zip格式的皮肤信息;系统配置里面可以设置手动重启或者是手动关闭服务器、设置安装向导,可以备份和恢复系统的个别信息,可以设置系统的协议信息超文本传输协议(HTTP)、文件传输协议(FTP)、简单邮件传输协议(SMTP)、邮件协议(POP3)、互联网消息访问协议(IMAP),局域配置里面可以查看系统所在服务器的当前时间、设置时区和登录系统的语言信息,用户也可以根据自己的喜好上传新的.zip格式的语言包、可以强制更新系统服务器的时间,使得与其当前时间相同。本地目录配置可以添加登录VPN的用户信息,也可以对添加的vpn用户信息进行编辑(包括删除和修改用户信息)。系统信息配置里面可以查看系统的当前版本信息、许可证信息和许可证协议信息。 In the network configuration, you can set the network information of the system running (network card information, solutions to common network problems); in the management configuration, you can add administrator account information, enable the option of external access to the system, and set the public address of the external access system, according to user input Certificate information, generate a self-signed certificate, you can enable or disable Simple Network Management Protocol (SNMP) monitoring, users can change the skin information of the system according to their preferences, or upload their favorite skin information in .zip format ;In the system configuration, you can set manual restart or manually shut down the server, set up the installation wizard, you can backup and restore individual information of the system, and you can set the protocol information of the system hypertext transfer protocol (HTTP), file transfer protocol (FTP), simple mail Transmission protocol (SMTP), mail protocol (POP3), Internet message access protocol (IMAP), in the local area configuration, you can view the current time of the server where the system is located, set the time zone and log in the language information of the system, users can also upload according to their own preferences The new language pack in .zip format can be forced to update the time of the system server so that it is the same as the current time. The local directory configuration can add user information for logging in to the VPN, and can also edit the added vpn user information (including deleting and modifying user information). In the system information configuration, you can view the current version information, license information and license agreement information of the system.

具体来说,结合附图6,对上述的统一安全网关模块的内部组件,进行详细描述,如下: Specifically, with reference to Figure 6, the internal components of the above-mentioned unified security gateway module are described in detail as follows:

安全防护组件包括防火墙组件、入侵检测组件、入侵防御组件、病毒威胁组件、拒绝服务防御组件。 The security protection components include firewall components, intrusion detection components, intrusion prevention components, virus threat components, and denial of service defense components.

需要说明的是, 上述各技术特征继续相互组合, 形成未在上面列举的各种实施例,均视为本发明说明书记载的范围 ; 并且, 对本领域普通技术人员来说, 可以根据上述说明加以改进或变换, 而所有这些改进和变换都应属于本发明所附权利要求的保护范围。 It should be noted that the above-mentioned technical features continue to be combined with each other to form various embodiments not listed above, which are all regarded as the scope of the description of the present invention; and, for those of ordinary skill in the art, improvements can be made according to the above description Or transformation, and all these improvements and transformations should belong to the protection scope of the appended claims of the present invention.

Claims (6)

1. a fictitious host computer security protection system, is characterized in that, take virtual machine cluster as unit, take distributed deployment as mode, and unified security protection is provided.
2. a fictitious host computer security protection system, is characterized in that, the fictitious host computer guard system of cloud computing data center is comprised of fictitious host computer administrative center and numerous security node.
3. a fictitious host computer security protection system, is characterized in that, security node consists of security gateway functional module, unified configuration feature module and security component.
4. a fictitious host computer security protection system, it is characterized in that, security gateway functional module is mainly served five major parts by network service, log services, data storage service, user's authentication service, network flow management and is formed, and is mainly that network packet is filtered.
5. a fictitious host computer security protection system, is characterized in that, unified configuration feature module is comprised of network configuration, administration configuration, system configuration, local directory configuration and system information configuration, and whole system is carried out to detailed configuration.
6. a fictitious host computer security protection system, it is characterized in that, safety protection component threatens assembly, denial of service defence module composition by firewall component, intrusion detection assembly, intrusion prevention assembly, virus, for all virtual machines in security node institute range of management provide security protection service.
CN201410057063.0A 2014-02-20 2014-02-20 Virtual host safety protection system design Pending CN104184717A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410057063.0A CN104184717A (en) 2014-02-20 2014-02-20 Virtual host safety protection system design

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410057063.0A CN104184717A (en) 2014-02-20 2014-02-20 Virtual host safety protection system design

Publications (1)

Publication Number Publication Date
CN104184717A true CN104184717A (en) 2014-12-03

Family

ID=51965463

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410057063.0A Pending CN104184717A (en) 2014-02-20 2014-02-20 Virtual host safety protection system design

Country Status (1)

Country Link
CN (1) CN104184717A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104994089A (en) * 2015-06-29 2015-10-21 浪潮(北京)电子信息产业有限公司 Security system for cloud data center
CN106383735A (en) * 2016-09-21 2017-02-08 中科信息安全共性技术国家工程研究中心有限公司 System and method for monitoring host security of virtual machine in cloud environment in real time
CN106534185A (en) * 2016-12-12 2017-03-22 中国航空工业集团公司西安航空计算技术研究所 Apparatus and method for real-time monitoring validity of airborne network safety software
CN108040055A (en) * 2017-12-14 2018-05-15 广东天网安全信息科技有限公司 A kind of fire wall combined strategy and safety of cloud service protection

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212453A (en) * 2006-12-29 2008-07-02 凹凸科技(中国)有限公司 Network access control method and firewall device
US20090064305A1 (en) * 2007-09-05 2009-03-05 Electronic Data Systems Corporation System and method for secure service delivery
CN101977187A (en) * 2010-10-20 2011-02-16 中兴通讯股份有限公司 Firewall policy distribution method, client, access server and system
CN102043917A (en) * 2010-12-07 2011-05-04 成都市华为赛门铁克科技有限公司 Distributed denial of service (DDOS) attack protection method, device and system for cloud computing system
CN103065086A (en) * 2012-12-24 2013-04-24 北京启明星辰信息技术股份有限公司 Distributed intrusion detection system and method applied to dynamic virtualization environment
CN103414748A (en) * 2013-07-12 2013-11-27 广东电子工业研究院有限公司 Cloud platform monitoring architecture and monitoring realizing method thereof

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212453A (en) * 2006-12-29 2008-07-02 凹凸科技(中国)有限公司 Network access control method and firewall device
US20090064305A1 (en) * 2007-09-05 2009-03-05 Electronic Data Systems Corporation System and method for secure service delivery
CN101977187A (en) * 2010-10-20 2011-02-16 中兴通讯股份有限公司 Firewall policy distribution method, client, access server and system
CN102043917A (en) * 2010-12-07 2011-05-04 成都市华为赛门铁克科技有限公司 Distributed denial of service (DDOS) attack protection method, device and system for cloud computing system
CN103065086A (en) * 2012-12-24 2013-04-24 北京启明星辰信息技术股份有限公司 Distributed intrusion detection system and method applied to dynamic virtualization environment
CN103414748A (en) * 2013-07-12 2013-11-27 广东电子工业研究院有限公司 Cloud platform monitoring architecture and monitoring realizing method thereof

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104994089A (en) * 2015-06-29 2015-10-21 浪潮(北京)电子信息产业有限公司 Security system for cloud data center
CN106383735A (en) * 2016-09-21 2017-02-08 中科信息安全共性技术国家工程研究中心有限公司 System and method for monitoring host security of virtual machine in cloud environment in real time
CN106534185A (en) * 2016-12-12 2017-03-22 中国航空工业集团公司西安航空计算技术研究所 Apparatus and method for real-time monitoring validity of airborne network safety software
CN106534185B (en) * 2016-12-12 2019-12-24 中国航空工业集团公司西安航空计算技术研究所 Device and method for monitoring effectiveness of airborne network security software in real time
CN108040055A (en) * 2017-12-14 2018-05-15 广东天网安全信息科技有限公司 A kind of fire wall combined strategy and safety of cloud service protection

Similar Documents

Publication Publication Date Title
CN111131335B (en) Artificial intelligence-based network security protection method, device and electronic equipment
Rawat et al. Software defined networking architecture, security and energy efficiency: A survey
EP3704846B1 (en) Cloud-based multi-function firewall and zero trust private virtual network
US9100363B2 (en) Automatically recommending firewall rules during enterprise information technology transformation
US10057284B2 (en) Security threat detection
US10135841B2 (en) Integrated security system having threat visualization and automated security device control
US11133999B1 (en) Network sensor deployment for deep packet inspection
CN107395570B (en) Cloud platform auditing system based on big data management analysis
WO2016010806A1 (en) A cyber-security system and methods thereof
Nife et al. Application-aware firewall mechanism for software defined networks
CN103428224A (en) Method and device for intelligently defending DDoS attacks
CN118432835A (en) CT cloud and edge cloud security platform
US20250193020A1 (en) Secure cluster membership for a multi-cloud security platform
Seeber et al. Improving network security through SDN in cloud scenarios
Lu et al. Integrating traffics with network device logs for anomaly detection
CN104184717A (en) Virtual host safety protection system design
US9172629B1 (en) Classifying packets
Oktivasari et al. Analysis of effectiveness of iptables on web server from slowloris attack
Siddiqui et al. SUTMS: Designing a unified threat management system for home networks
Fuertes et al. Alternative engine to detect and block port scan attacks using virtual network environments
CN115174219A (en) Management system capable of adapting to multiple industrial firewalls
Sari Countering the IoT-powered volumetric cyberattacks with next-generation cyber-firewall: Seddulbahir
Sacramento et al. Detecting Botnets and Unknown Network Attacks in Big Traffic Data
Cameron et al. Configuring Juniper Networks NetScreen and SSG Firewalls
Arumugam et al. A Shared Network Security System for Cloud Computing

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20141203